Description
A flaw has been found in itsourcecode School Management System 1.0. This impacts an unknown function of the file /settings/index.php of the component Setting Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Published: 2026-02-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The Settings Handler page of the School Management System processes an ID parameter without proper validation, allowing attackers to inject arbitrary SQL statements. This flaw can lead to unauthorized reading or modification of database contents, exposing sensitive student data or altering system configuration, and is classified as CWE-74 and CWE-89.

Affected Systems

itsourcecode School Management System version 1.0, which implements Settings Handler at /settings/index.php; no other affected products are listed.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating moderate severity. EPSS is below 1%, suggesting a low to moderate chance of exploitation, yet the exploit is publicly available and can be triggered remotely via a crafted ID argument. The flaw is not in the CISA KEV catalog but remains a valid risk for any installation lacking mitigation.

Generated by OpenCVE AI on April 17, 2026 at 14:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the School Management System to a version that fixes the input validation issue.
  • Validate and sanitize the ID parameter, using parameterized queries or prepared statements to prevent SQL construction.
  • Restrict the database user’s privileges to the minimum required for the application to reduce damage from injection attempts.

Generated by OpenCVE AI on April 17, 2026 at 14:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:itsourcecode:school_management_system:1.0:*:*:*:*:*:*:*

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in itsourcecode School Management System 1.0. This impacts an unknown function of the file /settings/index.php of the component Setting Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.
Title itsourcecode School Management System Setting index.php sql injection
First Time appeared Itsourcecode
Itsourcecode school Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:school_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode school Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode School Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-27T15:44:41.552Z

Reserved: 2026-02-26T14:22:33.692Z

Link: CVE-2026-3261

cve-icon Vulnrichment

Updated: 2026-02-27T15:44:36.879Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T22:20:51.757

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses